Scribd
Upload
780 views2 pages

Nabling Rocesses: Governance Practice Inputs Outputs EDM03.01 Evaluate Risk Management. From Description Description To

This document provides guidance on evaluating, directing, and monitoring risk management as it relates to information technology. It outlines three key governance practices - EDM03.01 to evaluate risk management, EDM03.02 to direct risk management, and EDM03.03 to monitor risk management. For each practice, it lists relevant inputs and outputs, and provides example activities to implement the practice such as determining risk appetite, directing risk integration plans, and monitoring metrics against targets. The overall goal is to ensure IT risk is appropriately managed and does not exceed the organization's risk tolerance.

Uploaded by

MNTOUISE
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
780 views2 pages

Nabling Rocesses: Governance Practice Inputs Outputs EDM03.01 Evaluate Risk Management. From Description Description To

This document provides guidance on evaluating, directing, and monitoring risk management as it relates to information technology. It outlines three key governance practices - EDM03.01 to evaluate risk management, EDM03.02 to direct risk management, and EDM03.03 to monitor risk management. For each practice, it lists relevant inputs and outputs, and provides example activities to implement the practice such as determining risk appetite, directing risk integration plans, and monitoring metrics against targets. The overall goal is to ensure IT risk is appropriately managed and does not exceed the organization's risk tolerance.

Uploaded by

MNTOUISE
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 2

Evaluate, Direct and Monitor

: ENABLING PROCESSES
EDM03 Process Practices, Inputs/Outputs and Activities
Governance Practice

Inputs

EDM03.01 Evaluate risk management.


#ONTINUALLYEXAMINEANDMAKEJUDGEMENTONTHE effect of
risk on the current and future use of IT in
THEENTERPRISE.#ONSIDERWHETHERTHEENTERPRISE'SRISK
appetite is appropriate and that risk to enterprise value
related to the use of IT is identified and managed.

From

Outputs

Description

APO12.01

Outside COBIT

Description

To

Emerging risk issues


and factors

Risk appetite guidance

APO12.03

Approved risk tolerance


levels

APO12.03

Enterprise risk
management principles

Evaluation of risk
management activities

APO12.01

Activities
1.$ETERMINETHELEVELOF)4-RELATEDRISKTHATTHEENTERPRISEISWILLINGTOTAKETOMEETITSOBJECTIVES(RISKAPPETITE).
2.%VALUATEANDAPPROVEPROPOSED)4RISKTOLERANCETHRESHOLDSAGAINSTTHEENTERPRISE'SACCEPTABLERISKANDOPPORTUNITYLEVELS.
3. Determine the extent of alignment of the IT risk strategy to enterprise risk strategy.
4. Proactively evaluate IT risk factors in advance of pending strategic enterprise decisions and ensure that risk-aware enterprise decisions are made.
5.$ETERMINETHAT)4USEISSUBJECTTOAPPROPRIATERISKASSESSMENTANDEVALUATION,ASDESCRIBEDINRELEVANTINTERNATIONALANDNATIONALSTANDARDS.
6.%VALUATERISKMANAGEMENTACTIVITIESTOENSUREALIGNMENTWITHTHEENTERPRISE'SCAPACITYFOR)4-RELATEDLOSSANDLEADERSHIP'STOLERANCEOFIT.
Governance Practice

Inputs

EDM03.02 Direct risk management.


Direct the establishment of risk management
practices to provide reasonable assurance that IT risk
management practices are appropriate to ensure
THATTHEACTUAL)4RISKDOESNOTEXCEEDTHEBOARD'S
risk appetite.

From

Description

APO12.03

Outside COBIT

Outputs
Description

To

Aggregated risk profile,


including status of risk
management actions

Risk management policies

APO12.01

+EYOBJECTIVESTOBE
monitored for risk
management

APO12.01

Enterprise risk
management (ERM)
profiles and mitigation
plans

Approved process
for measuring risk
management

APO12.01

Activities
1. Promote an IT risk-aware culture and empower the enterprise to proactively identify IT risk, opportunity and potential business impacts.
2. Direct the integration of the IT risk strategy and operations with the enterprise strategic risk decisions and operations.
3. Direct the development of risk communication plans (covering all levels of the enterprise) as well as risk action plans.
4. Direct implementation of the appropriate mechanisms to respond quickly to changing risk and report immediately to appropriate levels of
management, supported by agreed-on principles of escalation (what to report, when, where and how).
5. Direct that risk, opportunities, issues and concerns may be identified and reported by anyone at any time. Risk should be managed in accordance with
published policies and procedures and escalated to the relevant decision makers.
6. Identify key goals and metrics of risk governance and management processes to be monitored, and approve the approaches, methods, techniques
and processes for capturing and reporting the measurement information.

40

Personal Copy of: Mr. Dong Hong Wang

COBIT 5 PROCESS REFERENCE

CHAPTER 5
GUIDE CONTENTS
Evaluate, Direct and Monitor

EDM03 Process Practices, Inputs/Outputs and Activities (cont.)


Governance Practice

Inputs

EDM03.03 Monitor risk management. Monitor the


key goals and metrics of the risk management
processes and establish how deviations or problems
will be identified, tracked and reported for remediation.

From

Description

Outputs
Description

To

APO12.02

Risk analysis results

Remedial actions to
address risk management
deviations

APO12.06

APO12.04

s/PPORTUNITIESFOR
acceptance of
greater risk
s2ESULTSOFTHIRD-PARTY
risk assessments
s2ISKANALYSISANDRISK
profile reports
for stakeholders

Risk management issues


for the board

EDM05.01

Activities
1. Monitor the extent to which the risk profile is managed within the risk appetite thresholds.
2. Monitor key goals and metrics of risk governance and management processes against targets, analyse the cause of any deviations, and initiate
remedial actions to address the underlying causes.
3.%NABLEKEYSTAKEHOLDERS'REVIEWOFTHEENTERPRISE'SPROGRESSTOWARDSIDENTIFIEDGOALS.
4. Report any risk management issues to the board or executive committee.
EDM03 Related Guidance
Related Standard

Detailed Reference

#/3//%2)3//)%#31000

Framework for Risk Management

)3//)%#38500
King III

s5.5.)4SHOULDFORMANINTEGRALPARTOFTHECOMPANY'SRISKMANAGEMENT. s5.7.
!RISKCOMMITTEEANDAUDITCOMMITTEESHOULDASSISTTHEBOARDINCARRYINGOUTITS)4RESPONSIBILITIES.

Personal Copy of: Mr. Dong Hong Wang

41

You might also like